VLC Responds to Criticism Over Lack of HTTPS for Updates

The developers of the popular open source video player VLC, which recently surpassed 3 billion downloads, have responded to criticism over the use of HTTP for software updates.

Several people have submitted bug reports to VLC over the past period regarding the use of HTTP instead of HTTPS for software updates. A report submitted five days ago has triggered some heated discussions on Twitter and Reddit regarding the associated risks.

When VLC is updated, the client communicates with the server over HTTP, which, in theory, exposes the connection to man-in-the-middle (MitM) attacks and could allow a threat actor to replace the legitimate update with a malicious one without the user’s knowledge.

VLC developers believe that the use of HTTP in their case poses a small risk due to the way the update system has been implemented. They say they do plan on rolling out a new update system, but claim that it’s not an easy task and they have other priorities right now.

They’ve pointed out that the current system is not as insecure as some claim due to the fact that updates are cryptographically signed to ensure that they have not been tampered with.

Some experts have highlighted that the updates are signed using a hardcoded 1024-bit DSA key, which is relatively weak by modern standards. Moreover, they’ve noted that the signing key has not been changed for several years.

While Internet giants and the entire cybersecurity industry have been pushing for the widespread adoption of HTTPS, the developers of the media player and some security experts say the risk is small and attacks would not be easy to carry out.

First, the attacker only has a small window on opportunity to replace the update, they need to be able to intercept traffic, and they must create a malicious update whose signature matches the one of the legitimate update. The resources and knowledge needed to pull off such an attack are often limited to state-sponsored threat actors.

Jean-Baptiste Kempf, one of the lead developers of VLC and the president of the VideoLAN non-profit organization, explained that while it’s possible to break DSA encryption such as the one used for the update process, creating a fake signed DSA message corresponding to a public key is much more difficult.

“As for DSA, it is weak indeed, because you can brute-force decrypting, but to create a valid fake message is a different task. And the code supports RSA for the new system, as you can see in the source code file,” Kempf explained. “The system is not perfect, but is far from being broken as some people would like to pin.”

He noted that Linux distributions and some major tech companies also perform updates over HTTP but use signed updates to prevent manipulation.

Many reputable cybersecurity experts agree with VLC’s assessment of the risk. Others agree that the risk is small, but still think that VLC should start using HTTPS.

Other industry professionals, however, don’t like the tone of VLC’s response, with several people describing the messages as “rude.”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.